EMOTET Returns, Starts Spreading via Spam Botnet

We first detected the banking malware EMOTET back in 2014, we looked into the banking malware’s routines and behaviors and took note of its information stealing abilities via network sniffing. In August, we found increased activity coming from new variants (Detected by Trend Micro as TSPY_EMOTET.AUSJLA, TSPY_EMOTET.SMD3, TSPY_EMOTET.AUSJKW, TSPY_EMOTET.AUSJKV) that have the potential to unleash different types of payloads in the affected system.

A Resurgent Malware

While the motivation behind EMOTET—information theft—remain the same, the reason as to why the malware resurfaced could be mainly attributed to two main possible reasons.

First, the authors behind this attack may be targeting new regions and industries.

While the earlier variants of EMOTET primarily targeted the banking sector, our Smart Protection Network (SPN) data reveals that this time, the malware isn’t being picky about the industries it chooses to attack. The affected companies come from different industries, including manufacturing, food and beverage, and healthcare. Again, it is possible that due to the nature of its distribution, EMOTET now has a wider scope.

The United States, United Kingdom, and Canada made up the bulk of the target regions, with the US taking up 58% of all our detected infections, while Great Britain and Canada were at 12% and 8% respectively.

Figure 1: Regional Distribution of the EMOTET attacks from June 6 to September 6, 2017

Second, these new variants use multiple ways to spread. Its primary propagation method involves the use of a spam botnet, which results in its rapid distribution via email. EMOTET can also spread via a network propagation module that brute forces its way into an account domain using a dictionary attack. EMOTET’s use of compromised URLs as C&C servers likely helped it spread as well.

The element of surprise could also have played a role in its effectiveness: due to its recent inactivity, EMOTET’s resurgence managed to catch its targets off-guard, making the attacks, new capabilities, and distribution more effective.

For a malware with email-spamming and lateral-movement capabilities, infecting business systems and acquiring corporate e-mails translates to larger and more effective spam targeting and a higher chance of gaining information.

Figure 2: EMOTET Infection Diagram for the recent wave of attacks

Arrival and Installation

The new EMOTET variants initially arrive as spam claiming to be an invoice or payment notification to trick its victims into believing that this is a legitimate email from a supplier.

Figure 3: Sample spam email

In the body of this email is a malicious URL that will download a document containing a malicious macro when a user clicks on it. This macro will then execute a PowerShell command line that is responsible for downloading EMOTET.

Here are some of the sample URLs we discovered:

hxxp://abbeykurtz[.]com/VZZQNZJIZD9113942

hxxp://aplacetogrowtherapy[.]com/CNNKIAPGEP3572621

hxxp://vanguardatlantic[.]com/Invoice-number-7121315833-issue/

hxxp://charly-bass[.]de/Copy-Invoice-0954/

Once downloaded, EMOTET drops and executes copies of itself into the following folders:

If EMOTET has no admin privileges, it will drop the copies into %AppDataLocal%\Microsoft\Windows\{string 1}{string 2}.exe

If EMOTET contains admin privileges, it will instead drop the copies into System%\{string 1}{string 2}.exe

The malware will attempt to ease its entry into the system by deleting the Zone Identifier Alternate Data Stream (ADS), which is a string of information that describes the Internet Explorer Trust Settings of the file’s download source. This is one way for the system to find out if a downloaded file is from a high-risk source, blocking the download if it is detected as such.

EMOTET will then register itself as a system service and adds registry entries to ensure that it is automatically executed at every system startup. The typical windows service acts as a “controller” for most hardware-based applications, while others are used to control other applications. The EMOTET malware, on the other hand, uses it for both Elevation of Privilege, and as an autostart mechanism.

Routines

EMOTET will list the system’s currently running processes and then proceed to gather information on both the system itself and the operating system used.

It will then connect to the Command & Control (C&C) servers to update to its latest version, as well as to determine the type of payload that it will deliver. One of the possible payloads is the persistent banking trojan known as DRIDEX, which attempts to harvest banking account information via browser monitoring routines. Furthermore, the malware can also turn the infected system into part of a botnet that sends spam emails intended to spread the malware even further. This allows the trojan to spread quickly, as the more systems it can potentially infect, the faster it will propagate. The malware is also capable of harvesting email information and stealing username and password information found in installed browsers

We discovered that in addition to the above payloads, the C&C server is responsible for sending modules that will perform the following routines, which includes:

SPAMMING Module

Network Worm Module

Mail Password Viewer

Web Browser Password Viewer

From our recent samples of EMOTET malware, we have observed that it has become a Loader Trojan that decrypts and loads any binary coming from its Command & Control (C&C) server.

Security Predictions for 2018

Attackers are banking on network vulnerabilities and inherent weaknesses to facilitate massive malware attacks, IoT hacks, and operational disruptions. The ever-shifting threats and increasingly expanding attack surface will challenge users and enterprises to catch up with their security.Read our security predictions for 2018.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.